News

Application sandboxing a necessity, despite recent exploits

Security experts have confirmed that application sandboxing is still an absolute necessity in an enterprise environment, despite numerous recent exploits that bypass the security control. The Pwn2Own 2014 hacking contest was held recently and demonstrated that current skill sets are way ahead of the best information security advice available. The contest proved, without doubt, that even the most locked down and hardened software is vulnerable to current attacks, so organisations must be aware and implement controls appropriately.

The recent conference, sponsored by computing giants HP, is one of a number of contests that are held amongst technical security researchers to discover the latest zero day exploit. The Pwn2Own 2014 contest was held as part of the CanSecWeest security conference in Vancouver last week. The contest aims to offer cash rewards to security researchers who can find unique exploits in some of the most used software across the globe. The exploits, or zero-days, will reap high rewards that can vary in cash value but attract a large enough crowd of vulnerability hunters to suggest it is worthwhile.

Major Internet browsers such as Safari, Firefox and Internet Explorer had exploits demonstrated against them at Pwn2Own2014

The outcomes of this years event were not disappointing, with security researches finding bugs with numerous software and, most notably, all major web browsers including Safari, Firefox and Internet Explorer. Additionally, the talent was able to identify bugs in infamous software applications such as Adobe’s Flash Software and Shockwave Player. To read more about these specific vulnerabilities see our article Adobe releases patch for critical vulnerability in Shockwave Player.

HP footed the bill paid to security researchers, and early indications suggest that over $850,000 was paid out for the exploits demonstrated over the few days at the conference. 35 unique exploits were identified and demonstrated at the conference, with each vulnerability being demonstrated to the vendor responsible for the software. This enabled vendors to work closely with the security researchers to produce mitigations in the coming months.

As mentioned, the majority of exploits at the Pwn2Own 2014 contest centred on Web Browsers. Successful exploits were demonstrated against 3 of the major web browser platforms, with a total of 5 exploits shown by VUPEN security – the French firm notorious for selling zero-day exploits across the globe. The browsers, namely Safari, FireFox and IE, were shown to have several zero-day vulnerabilities that allowed attackers to compromise the browser sessions and data contained within the session. Specifically, the FireFox vulnerability, demonstrated by George Hotz, allowed remote code execution. A similar vulnerability was demonstrated by researchers Sebastien Apelt and Andreas Schmidt, utilising multiple browser vulnerabilities in IE 11 to allow remote code execution. A heap overflow vulnerability demonstrated in Apple’s Safari browser earned researcher Liang Chen a cash reward. The vulnerability was able to bypass sandbox environments and allow the attacker the ability to remotely executed code.

With web browsers the centre of attention, browser giants Firefox had several exploits demonstrated against them – of the 11 exploits demonstrated at the conference 4 were against Firefox. HP had also located several zero-day exploits against Microsoft Internet Explorer that were not demonstrated at the showcase event, instead being directly reported to Microsoft to look for a mitigation.

With numerous security holes located in fully patched software, the event may have caused dismay for enterprises as even up to date browsers could be vulnerable to attack. However, organisers stated web browsers and software are significantly more secure nowadays than they were when the contest first began over 5 years ago. Although exploits are much more publicised today, these and many, many more existed for years before and security is generally going in the right direction. A point worth noting here is that many of the vulnerabilities demonstrated at the contest required multiple vulnerabilities to work in tandem to reach the point of remote code execution, making attacks significantly harder for the average attacker. This chain of exploits is not simple to achieve, say security researchers.

At the forefront of this battle are sand boxing environments. Despite exploits being demonstrated that subvert these controls, application sand boxing is making life significantly harder for the cyber criminal, isolating code execution in a virtual container and ensuring prevention of malware from a single application to own the entire system.

All of the major web browsers currently use application sandboxing to some extent, however, exploits demonstrated here are able to break out of the sandbox environment, if the sandbox is poorly implemented. Attackers will aim to either break out of the sandbox container or look for underlying vulnerabilities in the operating system to enable a breakout. Although sandboxing is a magic solution, it certainly can slow an attacker down and add an extra layer of defence in a defence in depth approach.

Security researchers highly recommend that application sandboxing is utilised by enterprises to add a layer of defence. Although application sandboxes may be subverted, these will increase the sophistication required by the attacker and perhaps prevent a one exploit to rule them all scenario taking place. By implementing a secure application sandbox environment, any exploits can be contained and treated appropriately.